3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
109 lines
3.1 KiB
Text
109 lines
3.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-96:19 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: Buffer overflow in modstat
|
|
|
|
Category: core
|
|
Module: modstat
|
|
Announced: 1996-12-10
|
|
Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1.5, 2.1.6, 2.1.6.1
|
|
Corrected: FreeBSD-current as of 1996/08/08
|
|
FreeBSD only: no
|
|
|
|
Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:19/
|
|
|
|
=============================================================================
|
|
|
|
I. Background
|
|
|
|
The modstat program is used to display status of loaded kernel modules.
|
|
It is standard software in the FreeBSD operating system.
|
|
|
|
II. Problem Description
|
|
|
|
The modstat program has always been installed setuid kmem. Within
|
|
the program, a buffer overflow can occur.
|
|
|
|
|
|
III. Impact
|
|
Local users can gain kmem privileges.
|
|
|
|
|
|
IV. Workaround
|
|
|
|
Modstat does not need to be setuid kmem. It is thus sufficient to
|
|
do the following:
|
|
su
|
|
cd /usr/bin
|
|
chmod 555 modstat
|
|
This effectively clears the setuid bit on the modstat program.
|
|
|
|
V. Solution
|
|
|
|
Apply the following patch:
|
|
(This patch can also be found on
|
|
ftp://freebsd.org/pub/CERT/patches/SA-96:19)
|
|
|
|
Index: Makefile
|
|
===================================================================
|
|
RCS file: /home/freebsd/CVS/src/usr.bin/modstat/Makefile,v
|
|
retrieving revision 1.1
|
|
retrieving revision 1.2
|
|
diff -u -r1.1 -r1.2
|
|
- --- Makefile 1994/08/19 12:14:02 1.1
|
|
+++ Makefile 1996/05/30 02:19:03 1.2
|
|
@@ -38,7 +38,5 @@
|
|
|
|
PROG= modstat
|
|
MAN8= modstat.8
|
|
- -BINGRP= kmem
|
|
- -BINMODE=2555
|
|
|
|
.include <bsd.prog.mk>
|
|
Index: modstat.c
|
|
===================================================================
|
|
RCS file: /home/freebsd/CVS/src/usr.bin/modstat/modstat.c,v
|
|
retrieving revision 1.3
|
|
retrieving revision 1.4
|
|
diff -u -r1.3 -r1.4
|
|
- --- modstat.c 1995/04/20 05:08:53 1.3
|
|
+++ modstat.c 1996/08/08 07:58:07 1.4
|
|
@@ -72,8 +72,9 @@
|
|
{
|
|
struct lmc_stat sbuf;
|
|
|
|
+ sbuf.name[MAXLKMNAME - 1] = '\0'; /* In case strncpy limits the string. */
|
|
if (modname != NULL)
|
|
- - strcpy(sbuf.name, modname);
|
|
+ strncpy(sbuf.name, modname, MAXLKMNAME - 1);
|
|
|
|
sbuf.id = modnum;
|
|
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: security@freebsd.org
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMq2381UuHi5z0oilAQE99wP+NktTxugo1lrVDm0FVcmqd8c3zu6s95Wt
|
|
WCvM9GLECCVB+sFbssbikQc35SvgzEjnE4lZ3J4VBrAoThG3tLOmO5si0csM8dwE
|
|
QPGMyR/fdU7DpYXEK/XKuDxre1TDJ0uOwU9DfBewgy0o5OiybRR5dxj3nsJIznnd
|
|
F5O6NNppKb0=
|
|
=qcrF
|
|
-----END PGP SIGNATURE-----
|